Linux Disable or Enable ExecShield Buffer Overflows Protection

Now that I have Cent OS (RHEL clone) installed on my IBM server, I’m wondering what is ExecShield and how do I disable the same?

ExecShield is security Linux kernel patch to avoid worms and other problems.

ADVERTISEMENTS

Wikipedia has more information about Exec Shield project:

Exec Shield is a project that got started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that adds an NX bit to x86 CPUs. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield.

Task: Disable ExecShield protection

Type the following command as root user:
# sysctl -w kernel.exec-shield=0

You can disable it permanently system-wide after each and every reboot by adding following line to /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Append following line
kernel.exec-shield=0

Save and close the file. Please note that I don’t recommend disabling ExecShild protection.

You can also disable protection by appending the following parameter to the kernel command line in the GRUB bootloader to kernel line:
# vi /etc/grub.conf
Modify / append exec-shield=0 parameter as follows:
kernel /vmlinuz-2.6.8 ro root=LABEL=/ exec-shield=0
Close and save the file.

Enable ExecShield Protection Against Buffer Overflows

Open your /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Add the following lines:

kernel.exec-shield = 1
kernel.randomize_va_space = 1

Save and close the file. First line will enable ExecShield protection and second line will enable random placement of virtual memory regions protection. To load in sysctl settings, enter:
# sysctl -p

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • Miker Mar 17, 2009 @ 12:45

    Does selinux supersede this now?

  • Daniel Kühl Lima Nov 24, 2009 @ 12:08

    One thing is one thing, another thing is another thing.

  • Quentin M. Apr 5, 2011 @ 14:24

    To be on the safe side, better use this:
    kernel.exec-shield = 2
    kernel.randomize_va_space = 2

    The rationale behind this:
    – a value of 0 completely disables ExecShield and Address Space Layout Randomization
    – a value of 1 enables them ONLY if the application bits for these protections are set to “enable”
    – a value of 2 enables them by default, except if the application bits are set to “disable”
    – a value of 3 enables them always, whatever the application bits
    – a value of

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.